5.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
18.0%
In Weave Net before version 2.6.3, an attacker able to run a process as
root in a container is able to respond to DNS requests from the host and
thereby insert themselves as a fake service. In a cluster with an IPv4
internal network, if IPv6 is not totally disabled on the host (via
ipv6.disable=1 on the kernel cmdline), it will be either unconfigured or
configured on some interfaces, but it’s pretty likely that ipv6 forwarding
is disabled, ie /proc/sys/net/ipv6/conf//forwarding == 0. Also by default,
/proc/sys/net/ipv6/conf//accept_ra == 1. The combination of these 2 sysctls
means that the host accepts router advertisements and configure the IPv6
stack using them. By sending rogue router advertisements, an attacker can
reconfigure the host to redirect part or all of the IPv6 traffic of the
host to the attacker controlled container. Even if there was no IPv6
traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many
HTTP libraries will try to connect via IPv6 first then fallback to IPv4,
giving an opportunity to the attacker to respond. If by chance you also
have on the host a vulnerability like last year’s RCE in apt
(CVE-2019-3462), you can now escalate to the host. Weave Net version 2.6.3
disables the accept_ra option on the veth devices that it creates.
github.com/weaveworks/weave/commit/15f21f1899060f7716c70a8555a084e836f39a60
github.com/weaveworks/weave/security/advisories/GHSA-59qg-grp7-5r73
launchpad.net/bugs/cve/CVE-2020-11091
nvd.nist.gov/vuln/detail/CVE-2020-11091
security-tracker.debian.org/tracker/CVE-2020-11091
www.cve.org/CVERecord?id=CVE-2020-11091
5.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
18.0%